ACME Bank has developed a new Internet Banking portal, which is due to be deployed into their UAT environment. The application has followed the bank’s SDLC process and should be in a secure state. The Internal security team at ACME Bank has been tasked to ensure that once deployed into the UAT environment, it does not pose a risk to other applications, due to it being hosted on a shared platform and database. After an internal threat modeling exercise was performed, it was agreed that the application had a high-risk associated with it and the data stored within it.

The team makes use of a well-known web application scanning tool and start the process of mapping out the application in preparation for the automated scanning phase. Once complete, the automated scanning tool is started and left to complete. Once the report has been generated, the security analyst tests for false positives (such as SQL injection, or XSS) and amends the report as necessary. Any findings discovered are reported back to the system owners and development team, in order to be rectified. Once this has been completed, the re-test of the application is resumed to ensure they have been resolved in a suitable manner.

In this example, using the ASVS could allow the internal team to test for common application flaws as well as verify that it had been developed in accordance to the banks security standard.

El Owasp ASVS define el estándar en 4 capas:

Por ejemplo, el nivel 0 es:

An application achieves Level 1 (or Opportunistic) certification if it adequately defends against application security vulnerabilities that are easy to discover.